coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Some options I would like to see on AIX


From: Michael Felt
Subject: Some options I would like to see on AIX
Date: Fri, 5 Jun 2015 16:08:31 +0200

Two 'core' commands I use often are df and ls.

An easy option (I would hope) to add is '-g' for gigabytes.

AIX df:

michael@x071:[/usr/bin]/usr/bin/df -g .
Filesystem    GB blocks      Free %Used    Iused %Iused Mounted on
/dev/hd2           3.00      0.18   94%    57355    54% /usr
michael@x071:[/usr/bin]

CoreUtils df (8.21 - so if 8.22 or 8.23 has added it, please ignore this!)

michael@x071:[/usr/bin]/opt/bin/df -g .
/opt/bin/df: invalid option -- 'g'
Try '/opt/bin/df --help' for more information.

Also, an important option for AIX is seeing the extended inode bits (this may be part of xattr that configure does not understand for AIX (or I do not understand as a packager).

AIX: has two documented 'extended bits' where they are is not officially documented, but find -perm will find them at position 100000000 and 200000000.

Position 100000000 is for the so-called 'trusted-program-bit' and is no longer used on current AIX 6.1 and AIX 7.1 unless the system has migrated from AIX 5.3 (and TCB was enabled). Starting with AIX 6.1 the default is to use RBAC as security configuration definition - and the so-called tsh (truste shell) is no longer relevant. Position 200000000 means there is an ACL defined AND enabled (if only defined - the bit is clear)

What AIX /usr/bin/ls does with the option -e is add an extra -|+ to the listing of the file permissions.

For example, on AIX 5.3 (where TCB is still potentially used) you could see:

root@x064:[/usr/bin]/usr/bin/ls -l /usr/bin/ls
-r-xr-xr-x   1 bin      bin           28256 Mar 10 13:44 /usr/bin/ls
root@x064:[/usr/bin]/usr/bin/ls -e /usr/bin/ls
-r-xr-xr-x-   1 bin      bin           28256 Mar 10 13:44 /usr/bin/ls
root@x064:[/usr/bin]grep -p /usr/bin/ls /etc/security/sysck.cfg
/usr/bin/lssrc:
          owner = root
          group = system
          mode = TCB,SGID,555
          type = FILE
          class = apply,inventory,bos.rte.SRC
          size = 4078
          checksum = "49717     4 "

/usr/bin/lscore:
          owner = root
          group = security
          mode = TCB,SUID,555
          type = FILE
          class = apply,inventory,bos.rte.security
          size = 24000
          checksum = "57255    24 "

/usr/bin/lssec:
          owner = root
          group = security
          mode = TCB,SUID,550
          type = FILE
          class = apply,inventory,bos.rte.security
          size = 57480
          checksum = "34698    57 "

root@x064:[/usr/bin]

As /usr/bin/ls is not in the TCB (the file /etc/security/sysck.cfg) it is not a trusted command, and if the trusted shell was active, the program would not execute (or even remaining running anywhere on the terminal subshells).

The command lssec is part of the TCB - and the ls command would show a + in the additional location.

root@x064:[/usr/bin]/usr/bin/ls -l /usr/bin/lssec             
-r-sr-x---   1 root     security      57480 Mar 10 13:44 /usr/bin/lssec
root@x064:[/usr/bin]/usr/bin/ls -e /usr/bin/lssec
-r-sr-x---+   1 root     security      57480 Mar 10 13:44 /usr/bin/lssec

So, the key 'request' to to accept the -e option and report + when bit (octal) 100000000 or bit 200000000 is set.

Bit 200000000 is still valid on AIX 6.1 and AIX 7.1 - just not very common.

michael@x071:[/etc/security/tsd]/usr/bin/find /var/htdocs -perm -200000000 -ls
426240    4 drwxrwx--- 14 michael   httpd         4096 Sep  2  2010 /var/htdocs/rootvg/rootvg.x
426241    9 -rw-r-----  1 michael   httpd         8520 Feb 17  2009 /var/htdocs/rootvg/rootvg.x/.htaccess

michael@x071:[/etc/security/tsd]aclget /var/htdocs/rootvg/rootvg.x
*
* ACL_type   AIXC
*
attributes:
base permissions
    owner(michael):  rwx
    group(httpd):  rwx
    others:  ---
extended permissions
    enabled
    permit   r-x     u:nobody

This ACL was setup so that when accessed by root on NFS clients it could still be read (by default root is user 'nobody' during NFS client mounts).

michael@x071:[/usr/bin]/usr/bin/ls -ld /var/htdocs/rootvg/rootvg.x
drwxrwx---   14 michael  httpd          4096 Sep 02 2010  /var/htdocs/rootvg/rootvg.x
michael@x071:[/usr/bin]/opt/bin/ls -le /var/htdocs/rootvg/rootvg.x
/opt/bin/ls: invalid option -- 'e'
Try '/opt/bin/ls --help' for more information.

p.s. - to my surprise I see /opt/bin/ls is already providing a + - without the -e option!

michael@x071:[/usr/bin]/opt/bin/ls -ld /var/htdocs/rootvg/rootvg.x
drwxrwx---+ 14 michael httpd 4096 Sep  2  2010 /var/htdocs/rootvg/rootvg.x

But does not do the same for a regular file (on AIX 5.3) - the coreutils were compiled on AIX 5.3!

root@x064:[/usr/bin]/usr/bin/ls -e /usr/bin/lssec                                          
-r-sr-x---+   1 root     security      57480 Mar 10 13:44 /usr/bin/lssec
root@x064:[/usr/bin]/opt/bin/ls -e /usr/bin/lssec
/opt/bin/ls: invalid option -- 'e'
Try '/opt/bin/ls --help' for more information.
root@x064:[/usr/bin]/opt/bin/ls -l /usr/bin/lssec
-r-sr-x--- 1 root security 57480 Mar 10 13:44 /usr/bin/lssec
root@x064:[/usr/bin]/opt/bin/ls -ld /usr/bin/lssec
-r-sr-x--- 1 root security 57480 Mar 10 13:44 /usr/bin/lssec

So, while /opt/bin/ls -ld does show an output similiar to /usr/bin/ls -ed - when a directory,
the -d option alone does not.

michael@x071:[/usr/bin]/opt/bin/ls -ld /var/htdocs/rootvg/rootvg.x
drwxrwx---+ 14 michael httpd 4096 Sep  2  2010 /var/htdocs/rootvg/rootvg.x
michael@x071:[/usr/bin]/opt/bin/ls -l /var/htdocs/rootvg/.x      
michael@x071:[/usr/bin]/opt/bin/ls -d /var/htdocs/rootvg/rootvg.x
/var/htdocs/rootvg/rootvg.x


So, while this is meant to be a feature request - maybe I discovered a bug as well :)

Sincerely,
Michael

reply via email to

[Prev in Thread] Current Thread [Next in Thread]